Schneider Electric Software, LLC has a mitigation plan to address a stack-based buffer overflow in its InduSoft Web Studio, InTouch Machine Edition, according to a report with ICS-CERT.
Successful exploitation of this vulnerability during tag, alarm, or event related actions could allow remote code execution that, under high privileges, could completely compromise the device.
Tenable Research reported this vulnerability to Schneider Electric Software, which then coordinated with NCCIC.
The following versions of InduSoft Web Studio and InTouch Machine Edition, an HMI, suffer from the remotely exploitable vulnerability:
• InduSoft Web Studio v8.1 and prior versions
• InTouch Machine Edition 2017 v8.1 and prior versions
In the vulnerability, a remote attacker could send a carefully crafted packet during a tag, alarm, or event related action such as read and write, which may allow remote code execution.
CVE-2018-8840 has been assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
The product sees use in the commercial facilities, critical manufacturing, energy, transportation systems, and water and wastewater systems sectors. It also sees action on a global basis.
An attacker with low skill level could leverage the vulnerability.
Schneider Electric Software recommends:
• Users using InduSoft Web Studio v8.1 or prior versions are affected and should upgrade and apply InduSoft Web Studio v8.1 SP1 as soon as possible
• Users using InTouch Machine Edition 2017 v8.1 or prior versions are affected and should upgrade and apply InTouch Machine Edition 2017 v8.1 SP1 as soon as possible
Schneider Electric Software released Security Bulletin LFSEC00000125.